CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Grubhub Crypto Scam Targets Users with Fake Holiday Promotion

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Grubhub and Betterment users received fraudulent emails from legitimate subdomains, promising a tenfold and triple return on sent Bitcoin and Ethereum, respectively, as part of a fake 'Holiday Crypto Promotion.' The emails, sent from addresses like '[email protected]' and '[email protected],' included recipients' names and urged them to send cryptocurrency within a limited time for a promised return. Both companies confirmed the unauthorized messages and stated they have contained the issue. The scam is a classic crypto reward scheme, where victims are lured into sending funds with the false promise of a larger return. The incident follows a previous data breach earlier in the year where a third-party support account was compromised, exposing customer and merchant data.

Timeline

  1. 13.01.2026 18:46 1 articles · 23h ago

    Betterment Crypto Scam Targets Users with Fake Holiday Promotion

    Betterment confirmed a data breach where hackers sent fake crypto-related messages to some customers. The threat actor gained access to a third-party software platform used by Betterment for marketing activity and sent fraudulent emails from the legitimate subdomain '[email protected].' The scam promised to triple the amount of cryptocurrency sent to a specific address. The attacker accessed certain customer information, including full names, email addresses, physical addresses, phone numbers, and dates of birth. Betterment confirmed that its technical infrastructure remained secure and no customer accounts were accessed or credentials exposed.

    Show sources
    Open in new tab
  2. 26.12.2025 22:22 2 articles · 18d ago

    Grubhub Crypto Scam Targets Users with Fake Holiday Promotion

    Grubhub users received fraudulent emails from a legitimate subdomain, promising a tenfold return on sent Bitcoin as part of a fake 'Holiday Crypto Promotion.' The emails, sent from addresses like '[email protected]' and '[email protected],' included recipients' names and urged them to send Bitcoin within 30 minutes for a promised 10x return. Grubhub confirmed the unauthorized messages and stated they have contained the issue. The scam is a classic crypto reward scheme, where victims are lured into sending funds with the false promise of a larger return. The incident follows a previous data breach earlier in the year where a third-party support account was compromised, exposing customer and merchant data.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Misconfigured Email Routing Exploited for Internal Domain Phishing

Threat actors are exploiting misconfigured email routing and spoof protections to impersonate organizations' domains and distribute phishing emails that appear to originate internally. This tactic has surged since May 2025, targeting various industries with phishing-as-a-service (PhaaS) platforms like Typhoon2FA. Successful attacks can lead to credential theft and business email compromise (BEC). The issue arises when complex routing scenarios are configured without strict spoof protections, allowing spoofed emails to bypass security measures. Microsoft blocked over 13 million malicious emails linked to the Typhoon2FA kit in October 2025. Organizations are advised to enforce strict DMARC and SPF policies, properly configure third-party connectors, and ensure MX records point directly to Office 365 to mitigate this risk.

Open in new tab

Sax LLP Data Breach Impacts 220,000 Individuals

Sax LLP, a top-ranked US accounting firm, disclosed a data breach affecting 228,876 individuals. The breach occurred in late July 2024 but was only detected on August 7, 2024. The company took over 16 months to notify affected individuals. Compromised data includes names, dates of birth, SSNs, driver’s license numbers, and passport numbers. The firm is offering free credit monitoring and identity protection services, but the delay in notification reduces their effectiveness. The breach was not publicly claimed by any known ransomware group, suggesting either a private operation or a paid ransom to keep the attack undisclosed.

Open in new tab

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. The U.S. Justice Department (DoJ) has seized the fraud domain web3adspanels[.]org, which was used to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as November 2025. The FBI and Estonian law enforcement collaborated in this seizure, and the domain now displays a law enforcement banner indicating it is under the control of authorities. No arrests have been made yet, but the investigation may reveal clues leading to the operators.

Open in new tab

Merkle Breach Exposes Employee and Client Data

Merkle, a US-based subsidiary of Dentsu, experienced a cyberattack resulting in the theft of sensitive employee and client data. The breach was detected through unusual network activity, prompting an incident response and investigation. The stolen data includes bank details, payroll information, and personal contact details. Merkle has notified affected individuals and law enforcement, and is offering credit monitoring and Dark Web monitoring to impacted employees. The nature of the attack remains unknown, but it may involve data extortion or ransomware. The incident highlights the ongoing threat of data theft and the importance of robust incident response protocols.

Open in new tab

ShinyHunters and Scattered Spider Collaboration

The **ShinyHunters and Scattered Spider collaboration** has escalated with a **new extortion campaign targeting PornHub Premium members**, following the **Mixpanel data breach on November 8, 2025**. ShinyHunters, confirmed as the perpetrator, stole **94GB of data** containing **over 200 million records** of PornHub users' historical search, watch, and download activity from 2021 or earlier. The stolen data includes **email addresses, video URLs, keywords, locations, and timestamps**, which the group is now using to extort victims, including PornHub, via ransom demands. PornHub confirmed the breach impacted its Premium users but clarified that **no passwords, payment details, or financial information were exposed** and that the compromise stemmed from a **third-party vendor (Mixpanel)**, not its own systems. **Mixpanel has disputed the origin of the data**, stating it was last accessed by a legitimate PornHub employee account in 2023 and that there is no evidence it was stolen during their November 2025 incident. This latest attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. The groups have also targeted **Almaviva/FS Italiane Group**, **Zendesk users**, and now **Mixpanel customers**, demonstrating their ability to **leverage third-party IT providers, cloud-based CRM systems, and analytics platforms** to maximize data exposure. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and claims of shutdowns, the threat persists, with authorities like the **FBI and U.K. NCA** issuing ongoing alerts as the groups adapt tactics, including **smishing, OAuth token abuse, and AI-enhanced tooling** to evade detection. The **Gainsight cyber-attack** further expanded in late November 2025, with Salesforce confirming a **larger, unspecified number of victims** beyond the initial three disclosed. The breach involved **unauthorized access via an AT&T IP address on November 8**, followed by **reconnaissance and intrusions using VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**. Forensic investigations revealed the attackers exploited **compromised multifactor credentials**, prompting Gainsight to advise customers to **rotate S3 keys, reset passwords, and re-authorize integrations**. Meanwhile, the **SLSH alliance unveiled ShinySp1d3r**, a **ransomware-as-a-service (RaaS) platform** with **advanced anti-forensic capabilities** and **network propagation tools**, administered by core member **Saif Al-Din Khader (aka Rey)**, who claims cooperation with law enforcement since June 2025. The alliance has been linked to **51 cyberattacks in the past year**, combining **RaaS, extortion-as-a-service (EaaS), and insider recruitment** to maximize impact across sectors.

Open in new tab